System and Method for Validating SCEP Certificate Enrollment Requests

ABSTRACT

A system and method for validating SCEP certificate enrollment that enforces the pairing of a SCEP challenge password and a set of expected certificate request content. A SCEP Validation Service or software residing in another system component whether a certificate request is legitimate by comparing it to registered SCEP challenges and associated expected certificate request content. This system and method addresses a privilege-escalation vulnerability in prior SCEP-based systems that could lead to a practical attack.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/965841 filed on Aug. 13, 2013, which is a continuation of U.S. patentapplication Ser. No. 13/762,890 filed on Feb. 8, 2013, which is now U.S.Pat. No. 8,745,378, which claims the priority benefit of U.S.Provisional Patent Application No. 61/609,639 filed on Mar. 12, 2012,the disclosures of which are expressly incorporated herein in theirentireties by reference.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH

Not Applicable

PARTIES TO A JOINT RESEARCH AGREEMENT

Not Applicable

REFERENCE TO APPENDIX

Not Applicable

FIELD OF THE INVENTION

The field of the present invention generally relates to computer networksecurity, and more specifically, to systems and methods for implementingand managing security policies for computing devices requesting accessto a SCEP-based network.

BACKGROUND OF THE INVENTION

The Simple Certificate Enrollment Protocol (SCEP) was developed byVerisign, Inc., of Restin, Va., for Cisco Systems, Inc., of San Jose,Calif., primarily to allow network administrators to easily enrollnetwork computing devices for certificates in a scalable manner. Becausethese network computing devices are unlikely to have their identitiesrepresented in an enterprise directory or credential store, SCEPincludes no provision for authenticating the identity of the requester.Instead, SCEP allows for two different authorization mechanisms. Thefirst authorization mechanism is manual, where the requester is requiredto wait after submission for the Certification Authority (CA)administrator or certificate officer to approve the request. The secondauthorization method is pre-shared secret, where the SCEP server createsa “challenge password” that must be somehow delivered to the requesterincluded with a submission back to the server.

The overall security model surrounding SCEP's creation is that of arelatively well controlled environment. In the use cases which SCEP wasinitially designed to solve, challenge passwords are retrieved by ahighly trusted CA administrator, and given to a highly trusted networkadministrator, to generate certificates for highly trusted networkcomputing devices. In many cases, the SCEP challenge may well beretrieved and used by the same administrator.

Microsoft Corporation, of Redmond Wash., has supported SCEP for its CAsoftware since Windows Server 2003, first as freely downloadable add-oncomponent, and then with Windows err 2008 as a native component (via theNetwork Device Enrollment Service (NDES) role). Microsoft Corporation'sSCEP implementation is relatively full featured, and allows for avariety of configuration options including: setting the length of theSCEP challenge passwords; turning the requirement of SCEP challenges onor off; allowing or disallowing the reuse of SCEP challenges; andsetting the maximum time that an unused SCEP challenge should beconsidered valid.

When Apple Inc., of Cupertino, Calif., added SCEP to its mobileoperating system (referred to as iOS) the global count of SCEP-speakingclient computing devices was increased by several orders of magnitude.Additionally, it moved SCEP away from the security-friendly environmentin which the protocol was initially used. Instead of using certificatesto tightly controlled network computing devices under the direction ofhighly trusted administrators, it is now possible to architect systemsthat allow SCEP enrollment of “less-trusted” computing devices and theirusers, over the Internet. In fact, many Mobile Device Management (MDM)systems rely on this type of architecture. This shift in possiblesecurity models is important, and will be further discussed below.

One critically important aspect of the SCEP challenge password is thatwhile it provides authorization to submit a PKCS#10 formattedcertificate request, it does not actually authenticate the requestor,nor does it even identify them. Note that PKCS is a public-keycryptography standard produced by RSA Laboratories of Bedford Mass.Furthermore, neither the SCEP challenge, nor the SCEP server itself,makes any statement about the type or content of the request that may besubmitted. In essence, possession of a valid SCEP challenge passwordentitles the bearer to submit a certificate request with contententirely of their own choosing to the SCEP server. This is fine in theoriginal “admin-only” security model for which SCEP was initiallycreated, but is cause for concern when put to use on the internet atlarge.

It may be possible for a user or computing device to take theirlegitimately acquired SCEP challenge password, and use it to obtain acertificate that represents a different user or computing device with ahigher level of access, or even to obtain a different type ofcertificate than what was intended. If the challenge passwords arereused or disabled, the consequences are even direr, as the attackerwould not need to be a legitimate user.

This issue is not really the “fault” of Apple, Inc., Cisco Systems,Inc., Microsoft Corporation, or of the myriad of Mobile DeviceManagement systems that leverage SCEP. Rather it was brought about bythe combination of several factors. First, SCEP challenge passwords givesomeone permission to submit a certificate request to the SCEP server,but make no claims or enforcement over the content of that submission.Second, iOS operated computing devices' support of SCEP has opened upavenues for SCEP requests to originate from un-trusted networks, andfrom less-trusted (non-administrative) users, and many Mobile. DeviceManagement systems require this. Third, many enterprise CAinstallations, including most default installations of MicrosoftCorporation's CA, are being used to issue certificates that serve asnetwork authentication credentials. It's also important to note that theexecution of the attack does not require the use of an Apple computingdevice—it only requires a valid SCEP challenge password, and the abilityto communicate with the SCEP server. Thus, internally-developed SCEPservers, or servers protected by a reverse proxy or firewall are alsosusceptible. Accordingly, there is a need for an improved architecturefor validating SCEP certificate enrollment requests.

SUMMARY OF THE INVENTION

Disclosed herein is a data security system and method for for bothmobile computing devices and non-mobile computing devices which overcomeat least one of the above-described deficiencies of the prior art.Disclosed is a computer implemented method for validating SCEPcertificate enrollment requests comprising the steps of in combination,allowing trusted users to register SCEP challenges and associated setsof expected certificate content for the SCEP challenges, electronicallyreceiving a certificate request via a communications network, andelectronically validating the certificate request by checking whether aSCEP challenge of the certificate request matches one of the previouslyregistered SCEP challenges and if so checking whether content of thecertificate request matches the previously registered expectedcertificate content associated with the matching registered SCEPchallenge. A certificate is authorized if the SCEP challenge of thecertificate request matches a previously registered SCEP challenge andthe content of the certificate request matches the registered expectedcertificate content associated with the matching registered SCEPchallenge. The certificate is denied if the SCEP challenge of thecertificate request does not match a previously registered SCEPchallenge or if the content of the certificate request does not matchthe registered expected certificate content associated with the matchingregistered SCEP challenge.

Also disclosed is a system for validating SCEP certificate enrollmentrequests comprising, in combination, a SCEP Server for electronicallyreceiving requests from trusted users to register SCEP challenges andassociated sets of expected certificate content for the SCEP challengesand for electronically receiving a certificate request from a computingdevice via a communication network, a SCEP Issuance System tier issuingSCEP challenges to the trusted users, and a SCEP Validation Service toelectronically validate the certificate request. The SCEP ValidationService electronically validates the certificate request by checkingwhether a SCEP challenge of the certificate request matches a previouslyregistered SCEP challenge and if so checking whether content of thecertificate request matches the previously registered expectedcertificate content associated with the matching registered SCEPchallenge. The SCEP Validation Service authorizes a certificate if theSCEP challenge of the certificate request matches a registered SCEPchallenge and the content of the certificate request matches theregistered expected certificate content associated with the matchingregistered SCEP challenge. The SCEP Validation Service denies thecertificate if the SCEP challenge of the certificate request does nothave a matching registered SCEP challenge or the content of thecertificate request does not match the registered set of expectedcertificate content associated with the matching registered SCEPchallenge.

Also disclosed is a system for validating SCEP certificate enrollmentrequests comprising, in combination, a SCEP Server for electronicallyreceiving requests from trusted users to register SCEP challenges andassociated sets of expected certificate content for the SCEP challengesand for electronically receiving a certificate request from a computingdevice via a communication network, a SCEP issuance System for issuingSCEP challenges to the trusted users, and validation software configuredto validate the certificate request. The validation software validates acertificate request by checking whether a SCEP challenge of thecertificate request matches a previously registered SCEP challenge andif so checking whether content of the certificate request matches thepreviously registered expected certificate content associated with thematching registered SCEP challenge. The validation software authorizes acertificate if the SCEP challenge of the certificate request matches aregistered SCEP challenge and the content of the certificate requestmatches the registered expected certificate content associated with thematching registered SCEP challenge. The validation software denies thecertificate if the SCEP challenge of the certificate request does nothave a matching registered SCEP challenge or the content of thecertificate request does not match the registered set of expectedcertificate content associated with the matching registered SCEPchallenge.

From the foregoing disclosure and the following more detaileddescription of various preferred embodiments it will be apparent tothose skilled in the art that the present invention provides asignificant advance in the technology and art of systems and methods formobile data security. Particularly significant in this regard is thepotential the invention affords for providing relatively inexpensive andeffective mobile data security. Additional features and advantages ofvarious preferred embodiments will be better understood in view of thedetailed description provided below.

BRIEF DESCRIPTION OF THE DRAWINGS

These and further features of the present invention will be apparentwith reference to the following description and drawings, wherein:

FIG. 1 is a schematic view of a data security system for receivingrequests from computing devices via a communication network according toa first illustrated embodiment of the present invention.

FIG. 2 is a schematic view of a first part of a SCEP enrollment processfor the data security system of FIG. 1.

FIG. 3 is a schematic view of a second part of the SCEP enrollmentprocess for the data security system of FIG. 1.

FIG. 4 is a schematic view of a data security system for receivingrequests from computing devices via a communication network according toa second illustrated embodiment of the present invention.

FIG. 5 is a schematic view of a second part of a SCEP enrollment processfor the data security system of FIG. 4, wherein the first part of theSCEP enrollment process is similar to that shown in FIG. 2.

FIG. 6 is a schematic view of a data security system for receivingrequests from computing devices via a communication network according toa third illustrated embodiment of the present invention.

FIG. 7 is a schematic view of a second part of a SCEP enrollment processfor the data security system of FIG. 6, wherein the first part of theSCEP enrollment process is similar to that shown in FIG. 2.

FIG. 8 is a schematic view of a data security system for receivingrequests from computing devices via a communication network according toa fourth illustrated embodiment of the present invention.

FIG. 9 is a schematic view of a second part of a SCEP enrollment processfor the data security system of FIG. 8, wherein the first part of theSCEP enrollment process is similar to that shown in FIG. 2.

FIG. 10 is a schematic view of a data security system for receivingrequests from computing devices via a communication network according toa further illustrated embodiment of the present invention.

FIG. 11 is a table showing examples of SCEP challenges and associatedvalidation data for the data security systems and methods of FIGS. 1 to10.

DETAILED DESCRIPTION OF CERTAIN PREFERRED EMBODIMENTS

It will be apparent to those skilled in the art, that is, to those whohave knowledge or experience in this area of technology, that many usesand design variations are possible tar the systems methods for datasecurity disclosed herein. The following detailed discussion of variousalternative and preferred embodiments will illustrate the generalprinciples of the invention with respect to iOS operated mobilecomputing devices but other embodiments and variations suitable forother applications will be apparent to those skilled in the art giventhe benefit of this disclosure. For example, applications where themobile computing devices are additionally or alternatively running otheroperating systems and/or the computing devices are additionally oralternatively non-mobile devices. Mobile computing devices are smallhandheld computing devices such as, for example, mobile phones, smartphones, tablet computers, personal digital assistants (PDA), enterprisedigital assistants, calculators, handheld game consoles, portable mediaplayers, digital still cameras, digital video cameras, pagers, personalnavigation devices (PND), and the like, Non-Mobile devices are computingdevices that are not small handheld devices such as, for example,desktop computers, portable computers (laptops, notebooks, etc.), netbooks, workstations, servers, mainframes, supercomputers, and the like.

Referring now to the drawings, FIG. 1 illustrates a data security system10 for validating SCEP certificate enrollment requests according to afirst illustrated embodiment of the present invention. The illustrateddata security system 10 includes a SCEP server 12 and a SCEP IssuanceSystem each of which are in communication with a plurality of computingdevices 16 via a communication network 18. The SCEP Server 12 can be anysuitable type of server and is in direct communication with aCertificate Authority 20. The illustrated Certificate Authority 20 is aMicrosoft Certification Authority but any other suitable CertificateAuthority 20 can alternatively be utilized. The illustrated SCEPIssuance System 14 is the mobile Certificate Management System (mCMS)available from Certified Security Solutions, Inc. (CSS Inc.), ofIndependence, Ohio, but can alternatively be any other suitable SCEPIssuance System 14. The illustrated computing devices 16 are mobilecomputing devices running iOS such as, for example, iPhones, iPads, andiPod Touches and the like available from Apple Inc, but the computingdevices 16 can alternatively be any other suitable type of computingdevice 16 and/or can be running any other suitable operating system suchas, for example, Mac OS, Android, Windows Phone, and the like. Theillustrated communication network 18 is the Internet but canalternatively be any other suitable communication network.

A SCEP Validation Service 22 which provides validation service for theSCEP Issuance System 14 is located between the SCEP Issuance System 14and the Certificate Authority 20. That is, the SCEP Issuance System 14directly communicates with the SCEP Validation Service 22 and the SCEPValidation Service 22 is in direct communication with the CertificationAuthority 20. The primary function of the SCEP Validation Service 22 isto enforce the pairing of a SCEP challenge password and a set ofexpected certificate request content. The SCEP Validation Service 22 canbe instructed in a variety of mechanisms to enforce these pairings.

The illustrated SCEP Validation Service 22 is implemented as a typicalService-oriented Architecture (SOA) component, to enable loose bindingthrough a service contract, as well as provide multi-platforminteroperability. The services of the illustrated SCEP ValidationService 22 are exposed as a SOAP-based webservice running on HTTPS. Itis possible to alternatively run the same service on TCP or Named Pipesetc., but a true “webservice” runs over HTTPS. The illustrated webservice is built with .NET technologies, and utilizes WCF as thewebservice framework. The Microsoft's Internet Information Services(IIS) web server directly hosts both the SCEP Issuance System 14 as wellas the SCEP Validation Service 22. These two systems can be on the samephysical machine or can be separated to different machines as desired.HTTP-based web applications and webservices are typically stateless atthe protocol level. However, a stateful component is needed to act asthe data model for the SCEP challenge data because use of the statelessnature of HTTP. The illustrated data security system 10 needs acomponent that can keep the SCEP challenge in-memory between when thedata is submitted by the SCEP Issuance System 14 to when the validationrequest is made by the SCEP Enforcement Module 24. The illustrated SCEPValidation Service 22 fills that role and is implemented as a statefulSingleton component, allowing the same instance to remain active for theentire lifetime of the certificate enrolment process.

A SCEP Enforcement Module 24 is used to integrate with the CertificateAuthority 20 with the SCEP Validation Service 22 and is hosted by theCertificate Authority 20. The illustrated SCEP Enforcement Module 24 isimplemented as a Policy Module for the Microsoft Certification Authority20 and adheres to the ICertPolicy2 COM interface. MicrosoftCorporation's architecture requires that all policy modules beimplemented as COM objects supporting the ICertPolicy2 interface. Thereare several technology alternatives when creating a COM object hut a COMobject is required regardless of the technology used. Because theillustrated Microsoft Certification Authority 24 can only have onepolicy module, the SCEP Enforcement Module 24 acts primarily as a“shim”—passing all communication through to the original policy module,until a certificate request containing a SCEP challenge is received. TheSCEP Enforcement Module 24 then obtains the relevant information fromthe certificate request using a combination of standard policy modulefunctions and via parsing the certificate request, and passes theinformation to the SCEP Validation Service 22 for checking. If the SCEPValidation Service 22 indicates that the information does not match whatis expected, the SCEP Enforcement Module 24 denies the request.

As best shown in FIG. 2, the SCEP Validation Service 22 allows the SCEPIssuance System 24 to register permitted SCEP challenge datasets fromtrusted users. The term “trusted user” is used herein and in the claimsto mean a person or computing device worthy of making a certificate andcontent submission. In most cases the trusted user making the requestwill be software such as CSS Inc.'s mCMS, which instructs the devices toenroll for the certificates These registered SCEP challenge datasets arestored until the service is either unloaded from memory or theindividual dataset is removed from the validation side of the service.The SCEP challenge datasets can be stored in any suitable memory orstorage such as, for example, RAM (SRAM, DRAM), flash,ROM/PROM/EROM/EEROM/virtual memory, cache memory, persistent memory,hard drive, tape drive, magnetic discs, optical discs, and the like. TheiOS operated computing device 16 initiates a conversation via thecommunication network 18 with the SCEP Issuance System 14, which in theillustrated embodiment is an mCMS website, to register. The SCEPIssuance System 14 sends a request for a SCEP challenge, that is, a SCEPchallenge password, to the SCEP Server 12 and the SCEP Server 12 returnsa SCEP challenge to the SCEP issuance System 14. The SCEP IssuanceSystem 14 then uses the SCEP Validation Service 22 to store thegenerated SCEP challenge dataset. The SCEP challenge datasets can bestored in any suitable memory or storage such as, for example, RAM(SRAM, DRAM), flash, ROM/PROM/EROM/EEROM/virtual memory cache memory,persistent memory, hard drive, tape drive, magnetic discs, optical discsand the like. Note that the illustrated SCEP Validation Service 22 isprovided with a suitable database 26 for storing SCEP challengedatasets. The SCEP Issuance System 14 also generates a mobileconfiguration, in the form of a .mobileconfig file for iOS operatedcomputing device 16, and sends the mobile configuration to the computingdevice 16 via the communication network 18. The computing device 16 thengenerates a key pair. An RSA key pair is needed to generate the PKCS#10request, The public key is submitted in the PKCS#10 request and isembedded into the certificate the CA issues. This design allows theprivate key to be generated on the computing device 16, which increasessecurity by not having to pass the key over the communication network18.

As best shown in FIG. 3, when the SCEP Server 12 receives acertification request in the form of a PKCS#10 request from thecomputing device 16, the SCEP Server 12 determines whether the requesteris allowed to request that particular certificate. This determination ismade by sending a request for certificate to the Certificate Authority20 which is received by the plug-in policy module or SCEP EnforcementModule 24 which checks with the SCEP Validation Service 22 to validatethe request. The SCEP Validation Service 22 checks if the requestmatches any of the registered SCEP challenge datasets which have beenpreviously stored, including the SCEP Challenge and the expected contentof the certificate request. FIG. 11 shows examples of SCEP challengesand associated validation data. If a matching SCEP challenge dataset isfound, a positive response is returned to the computing device 16, andthe SCEP challenge dataset is removed from the internal data store. Thepositive response is returned to the computing device 16 by the SCEPValidation Service 22 sending a positive response to the plug-in PolicyModule 24, the plug-in Policy Module 24 sending an authorizationresponse to the Certificate Authority 20, the Certificate Authority 20sending an authorization response to the SCEP Server 12, and the SCEPServer 12 generating and sending a certificate to the computing device16 which imports the certificate. The allowed SCEP challenges are storedand managed by the SCEP Validation Service 22. The allowed SCEPchallenges can be stored in any suitable memory or storage such as, forexample, RAM (SRAM, DRAM), flash, ROM/PROM/EROM/EEROM/virtual memory,cache memory, persistent memory, hard drive, tape drive, magnetic discs,optical discs, and the like. If a matching SCEP challenge dataset is notfound, a negative response is returned to the computing device 16, and acertificate is not provided to the computing device 16.

FIG. 4 illustrates a data security system 10A for validating SCEPcertificate enrollment requests according to a second illustratedembodiment of the present invention. The data security system 10Aaccording to the second illustrated embodiment is substantially the sameas the data security system 10 according the first illustratedembodiment described hereinabove except that the SCEP Validation Service22 is moved in from of the SCEP Server 12. That is, the SCEP Server 12utilizes the SCEP Validation Service 22 to validate certificate requestsprior to sending the certificate requests to the Certification Authority20. The illustrated system 10A includes the SCEP server 12 and the SCEPIssuance System which are in direct communication with each other andare each in communication with computing devices 16 via thecommunication network 18. The SCEP Server 12 is in direct communicationwith the Certificate Authority 20. The SCEP Validation Service 22 whichprovides validation service for the SCEP Issuance System 14 is in directcommunication with the SCEP Server 12 and the SCEP Issuance System 14with the SCEP Server 12 located between the SCEP Validation Service 22and the Certificate Authority 20. The primary function of the SCEPValidation Service 22 is to enforce the pairing of a SCEP challengepassword and a set of expected certificate request content.

As best shown in FIG. 5, when the SCEP Server 12 receives acertification request in the form of a PKCS#10 request from thecomputing device 16, the SCEP Server 12 determines whether the requesteris allowed to request that particular certificate. This determination ismade by asking the SCEP Validation Service 22 to validate the request.The SCEP Validation Service 22 checks if the request matches of theregistered SCEP challenge datasets which have been previously stored,including the SCEP Challenge and the expected content of the certificaterequest. If a matching SCEP challenge dataset is found, a positiveresponse is returned to the computing device 16, and the SCEP challengedataset is removed from the internal data store. The positive responseis returned to the computing device 16 by the SCEP Validation Service 22sending a positive response to SCEP Server 12, the SCEP Server 12sending a certificate request to the Certificate Authority 20, theCertificate Authority 20 sending an authorization response to the SCEPServer 12, and the SCEP Server 12 generating and sending a certificateto the computing device 16 which imports the certificate. The allowedSCEP challenges are stored and managed by the SCEP Validation Service22. If a matching SCEP challenge dataset is not found, the certificaterequest is blocked from the Certification Authority 20, a negativeresponse is returned to the computing device 16, and a certificate isnot provided to the computing device 16.

FIG. 6 illustrates a data security system 108 for validating SCEPcertificate enrollment requests according to a third illustratedembodiment of the present invention. The data security system 10Baccording to the third illustrated embodiment is substantially the sameas the data security system 10A according the second illustratedembodiment described hereinabove except that the validation functionsare preformed by the SCEP Server 12. That is, the SCEP Server 12 itselfvalidates certificate requests using software residing in the SCEPServer 12 prior to sending the certificate requests to the CertificationAuthority 20. The illustrated system 10B includes the SCEP server 12 andthe SCEP Issuance System which are in direct communication with eachother and are each in communication with computing devices 16 via thecommunication network 18. The SCEP Server 12 is in direct communicationwith the Certificate Authority 20. SCEP Validation Software 28 whichprovides validation service for the SCEP Issuance System 14 is residesin the SCEP Server 12. The primary function of the SCEP ValidationSoftware 28 is to enforce the pairing of a SCEP challenge password and aset of expected certificate request content.

As best shown in FIG. 7, when the SCEP Server 12 receives acertification request in the form of a PKCS#10 request from thecomputing device 16, the SCEP Server 12 determines tether the requesteris allowed to request that particular certificate. This determination ismade internally using the SCEP Validation Software 28 to validate therequest. The SCEP Validation Software 28 checks if the request matchesany of the registered SCEP challenge datasets which have been previouslystored, including the SCEP Challenge and the expected content of thecertificate request. If a matching SCEP challenge dataset is found, apositive response is returned to the computing device 16, and the SCEPchallenge dataset is removed from the internal data store. The positiveresponse is returned to the computing device 16 by the SCEP ValidationSoftware 28 providing a positive response, the SCEP Server 12 sending acertificate request to the Certificate Authority 20, the CertificateAuthority 20 sending an authorization response to the SCEP Server 12,and the SCEP Server 12 generating and sending a certificate to thecomputing device 16 which imports the certificate. The allowed SCEPchallenges are stored and managed by the SCEP Validation Service 22. Ifa matching SCEP challenge dataset is not found, the certificate requestis blocked from the Certification Authority 20, a negative response isreturned to the computing device 16, and a certificate is not providedto the computing device 16.

FIG. 8 illustrates a data security system 10C for validating SCEPcertificate enrollment requests according to a fourth illustratedembodiment of the present invention, The data security system 10Caccording to the fourth illustrated embodiment is substantially the sameas the data security system 10 according the first illustratedembodiment described hereinabove except that the validation functionsare preformed by the certification Authority 20. That is, theCertification Authority 20 itself validates certificate requests usingsoftware residing in the Certification Authority 20 prior to sendingauthorization to the SCEP Server. The illustrated system 10C includesthe SCEP server 12 and the SCEP Issuance System which are directly incommunication with each other and are each in communication withcomputing devices 16 via a communication network 18. The SCEP Server 12is in direct communication with the Certificate Authority 20. The SCEPValidation Software 28 which provides validation service for the SCEPIssuance System 14 and the Certificate Authority 20 resides within theCertificate Authority 20.

As best shown in FIG. 9, when the SCEP Server 12 receives acertification request in the form of a PKCS#10 request from thecomputing device 16, the SCEP Server 12 determines whether the requesteris allowed to request that particular certificate. This determination ismade by sending a request for certificate to the Certificate Authority20 which checks with the SCEP Validation Software 28 to validate therequest. The SCEP Validation Software 28 checks if the request matchesany of the registered SCEP challenge datasets which have been previouslystored, including the SCEP Challenge and the expected content of thecertificate request. If a matching SCEP challenge dataset is found, apositive response is returned to the computing device 10, and the SCEPchallenge dataset is removed from the internal data store. The positiveresponse is returned to the computing device 16 by the SCEP ValidationSoftware 28 providing a positive response, the Certificate Authority 20sending an authorization response to the SCEP Server 12, and the SCEPServer 12 generating and sending a certificate to the computing device16 which imports the certificate. The allowed SCEP challenges are storedand managed by the SCEP Validation Software 22. If a matching SCEPchallenge dataset is not found, a negative response is returned to thecomputing device 16, and a certificate is not provided to the computingdevice 16.

FIG. 10 illustrates a data security system 10D for validating SCEPcertificate enrollment requests according to a fifth illustratedembodiment of the present invention. The data security system 10Daccording to the second illustrated embodiment is substantially the sameas the data security system 10 according the first illustratedembodiment described hereinabove except that it utilizes a SCEP Proxy 28that only permits certificate requests to pass to the SCEP Server 12 ifthe certificate request is valid. With this embodiment, V-SCEPtechnology is directly integrated into a SCEP Proxy 28. The computingdevices 16 first enroll with mCMS residing in the Web Server 14 via thecommunication network 18. During this enrollment, a SCEP Dataset isregistered in a central database 26. For certificate issuance, thecomputing device 16 generates and sends its PKCS10 request to the SCEPProxy 28. The SCEP Proxy 28 compares the contents of the PKCS10 requestfrom the computing device 16 with the registered SCEP Datasets in thedatabase 26. lf verification of the request contents is successful, theSCEP Proxy 28 forwards the SCEP request to the actual SCEP Server 12.The SCEP Server 12 then issues the certificate and returns thecertificate contents to the SCEP Proxy 12 that sends the issuedcertificate to the computing device 16.

It is noted that each of the features and variations of the aboveillustrated embodiments can be used in any combination with each of theother illustrated embodiments.

From the foregoing disclosure it is apparent that the above describeddata security system and method address the theoreticalprivilege-escalation vulnerability in prior SCEP-based systems thatcould lead to a practical attack. It is also apparent that the abovedescribed system and method address this vulnerability in both aperformance effective manner and a cost effective manner. It is furtherapparent that the validation steps can be provided and performed in anysuitable manner such as or example, the software performing thevalidation steps can reside in any suitable component at any suitablelocation within the system.

From the foregoing disclosure and detailed description of certainpreferred embodiments, it is also apparent that various modifications,additions and other alternative embodiments are possible withoutdeparting from the true scope and spirit of the present invention. Theembodiments discussed were chosen and described to provide the bestillustration of the principles of the present invention and itspractical application to thereby enable one of ordinary skill in the artto utilize the invention in various embodiments and with variousmodifications as are suited to the particular use contemplated. Ail suchmodifications and variations are within the scope of the presentinvention as determined by the appended claims when interpreted inaccordance with the benefit to which they are fairly, legally, andequitably entitled.

What is claimed is:
 1. A computer implemented method for validatingsimple certificate enrollment protocol (SCEP) certificate enrollmentrequests, said method comprising, the steps of, in combination:electronically receiving a request via a communications network from atrusted user for a SCEP challenge to be used in a subsequent certificaterequest and, in response to the request, preregistering the SCEPchallenge by electronically storing the SCEP challenge and associatedexpected certificate content for the SCEP challenge; electronicallyvalidating a certificate request including the SCEP challenge bychecking whether the SCEP challenge of the certificate request waspreregistered and if so checking whether content of the certificaterequest matches the stored expected certificate content associated withthe preregistered SCEP challenge, and authorizing a certificate for thecertificate request if the SCEP challenge of the certificate request waspreregistered and the content of the certificate request matches thestored expected certificate content associated with the preregisteredSCEP challenge.
 2. The computer implemented method according to claim 1,wherein the certificate request is a PKCS#10 certification request. 3.The computer implemented method according to claim 1, wherein thevalidation step is performed by a SCEP Validation Service.
 4. Thecomputer implemented method according to claim 3, wherein thecertificate request is received via the communication network by a SCEPServer which sends the certificate request to a Certificate Authoritywhich communicates with the SCEP Validation Service to validate thecertificate request.
 5. The computer implemented method according toclaim 4, wherein the Certificate Authority communicates with the SCEPValidation Service via a SCEP Enforcement Module.
 6. The computerimplemented method according to claim 4, wherein the SCEP EnforcementModule is implemented as a Policy Module for the Certificate Authority.7. The computer implemented method according to claim 6, wherein theSCEP Enforcement Module passes all communications through unless acertificate request containing a SCEP challenge is received.
 8. Thecomputer implemented method according to claim 3, wherein the SCEPValidation Service is implemented as a Service-Oriented Architecturecomponent.
 9. The computer implemented method according to claim 5,wherein the certificate request is received via the communicationnetwork by a SCEP Server which sends the certificate request to the SCEPValidation Service for validation prior to sending the certificaterequest to a Certificate Authority.
 10. The computer implemented methodaccording to claim 1, wherein the certificate request is received viathe communication network by a SCEP Server which validates thecertificate with software residing in the SCEP Server prior to sendingthe certificate request to a Certificate Authority.
 11. The computerimplemented method according to claim 1, wherein the certificate requestis received via the communication network by a SCEP Server which sendsthe certificate request to a Certificate Authority which validates thecertificate request with software residing in the Certificate Authorityprior to authorizing the certificate request.
 12. A system forvalidating simple certificate enrollment protocol (SCEP) certificateenrollment requests, said system comprising, in combination: SCEP Serverfor electronically receiving a request via a communications network froma trusted user to preregister a SCEP challenge to be used in asubsequent certificate request; a SCEP Issuance System forelectronically sending the SCEP challenge via the communication networkto the trusted user; a SCEP Validation Service for electronicallystoring the SCEP Challenge and associated expected certificate contentfor the SCEP challenge and for validating the subsequent certificaterequest by checking whether the SCEP challenge was preregistered and, ifso, checking whether content of the subsequent certificate requestmatches the stored expected certificate content associated with thepreregistered SCEP challenge; wherein the subsequent certificate requestis validated by the SCEP Validation Service and a certificate isauthorized for the subsequent certificate request if the SCEP challengeof the certificate request was preregistered and the content of thesubsequent certificate request matches the stored expected certificatecontent associated with the preregistered SCEP challenge.
 13. The systemaccording to claim 12, wherein the subsequent certificate request is aPKCS#10 certification request.
 14. The system according to claim 12,further comprising a Certificate Authority which receives the subsequentcertificate request from the SCEP Server and communicates with the SCEPValidation Service to validate the certificate request.
 15. The systemaccording to claim 14, wherein the Certificate Authority includes a SCEPEnforcement Module for communicating with the SCEP Validation Service.16. The system according to claim 15, wherein the SCEP EnforcementModule is implemented as a Policy Module for the Certificate Authority,17. The system according to claim 16, wherein the SCEP EnforcementModule passes all communications through unless a certificate requestcontaining a SCEP challenge is received.
 18. The system according toclaim 12, wherein the SCEP Validation Service is implemented as aService-Oriented Architecture component.
 19. The system according toclaim 12, wherein SCEP server sends the subsequent certificate requestto the SCEP Validation Service for validation prior to sending thesubsequent certificate request to a Certificate Authority.
 20. A Systemfor validating simple certificate enrollment protocol (SCEP) certificateenrollment requests, said system comprising, in combination: a SCEPServer for electronically receiving a request via a communicationsnetwork from a trusted user to preregister for a SCEP challenge to beused in a subsequent certificate request; a SCEP Issuance System forelectronically sending the SCEP challenge via the communications networkto the trusted user; validation software configured to electronicallystore the SCEP challenge and associated expected certificate content forthe SCEP challenge and to validate the subsequent certificate request;and wherein the validation software validates the subsequent certificaterequest and authorizes a certificate for the subsequent certificaterequest if the SCEP challenge of the subsequent certificate request waspreregistered and the content of the subsequent certificate requestmatches the stored expected certificate content associated with thepreregistered SCEP challenge.
 21. The system according to claim 20,wherein the subsequent certificate request is a PKCS#10 certificationrequest.
 22. The system according to claim 20, further comprising aCertificate Authority which receives the subsequent certificate requestfrom the SCEP Server.
 23. The system according to claim 22, wherein thevalidation software resides in the Certificate Authority.
 24. The systemaccording to claim 20, wherein the validation software resides in theSCEP Server.